Researcher says he was threatened after finding major DJI security flaw

Drone maker DJI has been criticized roundly this weekend over its alleged response to security researcher Kevin Finisterre's discovery of a significant security issue involving the company's system. According to Finisterre, he began hunting for bugs in DJI's system under its recently established bug bounty program. In the process, Finisterre says he discovered a major security issue, but rather than rewarding him for his effort, DJI accused him of hacking and threatened to report him to the authorities.

DJI announced its bug bounty program in August following a report that claimed the U.S. Army had banned use of the maker's drones over security concerns. As part of its announcement, DJI had stated:

The DJI Threat Identification Reward Program aims to gather insights from researchers and others who discover issues that may create threats to the integrity of our users’ private data, such as their personal information or details of the photos, videos and flight logs they create.

According to a long report on the matter published by Finisterre, he spent many weeks communicating with DJI through email about the scope of its bug bounty program, which hadn't yet been publicly defined. After receiving confirmation that it included the company's servers, Finisterre went to work in writing up a report disclosing his discoveries. Speaking of which...

Due to multiple security issues, including publicly available AWS private keys for DJI's photo-sharing service SkyPixel, Finisterre reports that he was able to get access to highly sensitive user data, including: identification cards and passports, flight logs, and drivers licenses. Once he found this flaw, he claims that he alerted DJI to this vulnerability, and that the company acknowledged it.

After more than 130 emails back and forth between DJI and Finisterre, he states in his report that DJI said he would be rewarded with $30,000 under the bug bounty program (the maximum award). However, Finisterre reports that weeks later he received an agreement for his particular bug bounty that was "literally not sign-able." As he goes on to explain in his report:

I won’t go into too much detail, but the agreement that was put in front of me by DJI in essence did not offer researchers any sort of protection. For me personally the wording put my right to work at risk, and posed a direct conflicts of interest to many things including my freedom of speech. It almost seemed like a joke. It was pretty clear the entire ‘Bug Bounty’ program was rushed based on this alone.

Efforts to alter the agreement didn't pan out as hoped, says Finisterre, who goes on to claim that several different lawyers advised him that DJI's final offer was, "likely crafted in bad faith," and that it was "extremely risky" for him to sign it. It was about this time that Finisterre also receive a legal demand from DJI ordering him to delete/destroy the data he had gathered during his investigation, while appearing to threaten Finisterre with the Computer Fraud and Abuse Act.

In a statement to Ars Technica, who was the first to cover this spat between DJI and Finisterre, the Chinese drone giant referred to Finisterre as a "hacker," claiming that he had accessed one of the company's servers without permission and that he had tried to claim it under the company's bug bounty program without following "standard terms for bug bounty programs." The statement goes on to claim that Finisterre "refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met."

For his part, Finisterre says that he ultimately turned down the $30,000 in favor of going public with what he sees as an unsettling and unacceptable experience, concluding with the following statement:

If you that are wondering if DJI even bothered to respond after I got offended over the CFAA threat, you should be happy to know it was flat out radio silence from there on out. All Twitter DM’s stopped, SMS messages went unanswered, etc. Cold blooded silence.

Comments

Since the Chinese "communist" government demands from tech companies to provide access to their servers in order to operate in China. This case would be very plausible for DJI to be acting so sensitive about it, and being overprotective to the point of legal threats.And I worded "communist" like that because the Chinese government is not even communist. It's a dictatorship and a bunch of real human rights criminal scumbags.

Easy answer to the whole question. Don't like what they do? Don't use them or their products. I certainly wouldn't. I think anyone who does is a fool. However, there's one born every minutes, so the choice is all your own.

The story is reported as "Researcher says he was threatened after finding major DJI security flaw"...

But, then we discover that they were willing to pay him the maximum bounty, but he didn't like the terms they offered.

How about he comes clean with the details of that agreement rather than holding on to critical information that would allow people to make their own minds up? The "I won’t go into too much detail" sidestep is not good enough.

Obviously he is miffed about something. But he will have to make a case with full disclosure if he is to be believed.

Not all details are reported here.https://dronelife.com/2017/11/16/dji-flawed-bug-bounty-program/“You will defend and indemnify DJI and its officers, directors, employees, consultants, affiliates, subsidiaries and agents (together, the “DJI Entities”) from and against any and all claims, liabilities, damages, losses, and expenses, including reasonable attorneys’ fees and costs, arising out of or in any way connected with: (a) your Report; (b) your violation of any portion of these Terms, any representation, warranty, or agreement referenced in these Terms, or any applicable law or regulation; (c) your violation of any third-party rights, including any intellectual property right or publicity, confidentiality, other property, or privacy, right;...”

Sounds like you could actually be financially liable for submitting a bug report. Yeah great reward, thanks for making us more secure, here is a bill for what it cost us to fix it up...

The company is protecting itself against being sued by the reporter of the bug for damages related to the discovered vulnerability, or from the action of reporting the vulnerability. Payment of the bounty would otherwise potentially be an action admitting liability.

The company is also protecting itself against damage that the bug reporter could cause by exploiting the bug that he discovered, or by assisting others in doing so.

It is sensible for them to try to prevent a situation where someone claims the bounty and also profits from exploiting the discovered vulnerability.

The purpose of bounties is to allow companies to fix serious problems with minimal damage to the company's business, reputation or financial wellbeing. It seems that the individual who discovered this bug might not understand that, but rather sees the bounty as merely some kind of competition prize.

"“You will defend and indemnify DJI and its officers, directors, employees, consultants, affiliates, subsidiaries and agents (together, the “DJI Entities”) from and against any and all claims, liabilities, damages, losses, and expenses, including reasonable attorneys’ fees and costs, arising out of or in any way connected with: (a) your Report"

Thanks for making my day. The reasearcher find the bug, and now he has to assume liability of defending DJI entities?

And lawyers never, ever overreach in any way for the benefit of their own party. No, sir! This is why you have your own lawyers, of course.

When it says that you "will defend and indemnify" the company and a parade of other people against "any and all claims... arising out of or in any way connected with: (a) your Report", it doesn't sound like a promise that you won't sue the company for no reason.

Instead, it sounds like you're on the hook for all sorts of class action lawsuits by angry punters against the company and virtually anyone else who handles these products. Or they hang you out to dry when random governments get upset about "cybersecurity".

In other words, "it's this guy's fault because he told people about it". It's almost like some kind of liability transfer stunt where you give people $30K and see how much legal defence it will buy them when people turn up the heat.

@Paul. What something "sounds like" and what is legally binding are two entirely different things.

It's a stretch to suggest that the reporter of a bug would be the subject to "all sorts of class action lawsuits by angry punters against the company and virtually anyone else who handles these products.", as you put it.

Such an attempt to divert liability would be entirely without merit in a court of law.

On the other hand, if the bug reporter exploited the vulnerability in a way that damaged the company, then they would have a case. In such a scenario, the company would not only be justified in withholding the bounty, but they would also be justified in seeking damages.

Most people never read the legal small print on contracts, software licences, financial transactions, and such. If they did, they might be surprised by similar legal language designed to close potential loopholes that would weaken a company's ability to defend itself in court, should the need arise.

Well, there are safeguards in place against unfair contracts. But I doubt that this guy thought that $30K is enough to put those to the test. And I also doubt that he wanted to test how successful some class action legal sharks might be when they name him as being jointly liable to some "injury" that their clients have experienced.

If anything, the company should be indemnifying other people in the case of lawsuits about their faulty products, obviously obliging those people to not tell others the details of vulnerabilities until the faults are fixed. This is probably how it normally works.

Any terms with an obligation to defend the company scream "run away very quickly". Agreeing that you won't hold the company liable for "opening Pandora's box" is one thing, but any hint that you'll be sharing in the company's liability is something else.

And I imagine that this is what his lawyers told him, whose views are what really matter here.

It could potentially, Daryl. Anything that looks like an admission of liability, such as voluntary "compensation" (aka bounty maybe) would.

It is not unusual for contracts or agreements to include clauses that fend off a person's legal recourse to sue under some circumstances.

Legal language is different to colloquial language. I knew someone a few years ago who interpreted his broadband contract to mean the broadband provider became the owner and rights holder of whatever he transmitted to any remote server on the internet... be it a photo, an email or a document.

He was convinced of it due to his own interpretation of the legal clauses. He claimed he sought legal advice, though he was the type of person who wouldn't agree with a lawyer if he didn't give him the answer he liked. Clearly he was misinterpreting that standard contract.

"In this context, it means NOT to take the side of the plaintiff if the company are the defence."

A link to this definition of "defend" in contract law would be helpful. We all get what "defend" means in general and in a broad legal context.

Why do they not just state that the other party promise not to sue them? They already ask that the company be indemnified, after all. Is it a flourish of the pen?

Or are they asking that the other party not provide evidence in case someone else does sue them? Or, conversely, are they compelling the other party to provide evidence in their defence in such a lawsuit? The latter seems to be the only reasonable explanation to me.

Still, it seems vague unless there's a canned legal idiom at work here. And vague is bad in legal documents.

@Paul, Good questions! It is me who is vague in avoiding legal terms, in an attempt not to come across as a lawyer as I am not in a position to give legal advice. But I know that in contract law those terms do have specific meanings.

From looking it up, the specific meaning in contract law of defend is to accept responsibility for fees and costs involved in defending a lawsuit against the indemnitee. In this case, I understand it to refer to fees and costs as a result of having to defend due to the prohibited actions on his part.

Indemnification is the duty to reimburse losses sustained by the indemnitee as the result of a judgment being entered against the indemnitee. Again, I understand that to mean that he would agree to be responsible for the damages/losses from him breaking the agreement not to take any of the prohibited actions (e.g. misuse of intellectual property rights, publicity, confidentiality, etc.)

Thanks for clarifying the definitions! I only have a general idea of what these concepts mean, not being a lawyer myself.

But in general, these kinds of agreements (and all the ones imposed by companies on the Internet on their users) should be clearer about the obligations of each party. There is no incentive for companies to do this, of course, which is why you need legal involvement to uphold the interests of the other party.

"Perhaps publishing some details might have caused concern for him?"

Well, people in this business need a degree of publicity in order to cultivate a reputation and possibly bring in paid work. How else would the guy afford the deposit on a Tesla Model 3?

Team Yeti, companies (both large and small) don't play fair if they don't have to. That is standard business practice. That goes regardless of the government. Read the EULA of any product from any company. Not one of them is fair.

China isn't communist. Sure, they have a political party called the Communist Party, but that's just a name. China, in many ways, is more capitalist than the USA. The USA is, in many ways, more restrictive than China. It all depends on your perception and goals.

In addition, judging an entire nation based on one company, or judging one company based on an entire nation is a bit ignorant. There are honorable and dishonorable businessmen and women in both nations.

MikeFairbanks, I agree with a lot of what you said. However, I'm not sure there is such a thing as an "honorable" company, even if a company has honorable employees. Can you name one "honorable" EULA? Can you name one EULA which provides as much protection for the consumer as it does for the company? Can you name one EULA which is open to negotiation so that the consumer can add protections for themselves or ease unreasonable restrictions?

china is a capitalist nation ruled by a communist party elite ... they have nothing to do with communism now save for some fossil remnants in their social structure and in the brainwashing of their citizenry

they are a totalitarian authoritarian capitalist nation much like the usa

I fail to see what DJI did wrong. If the contract that DJI offered contained an unacceptable clause(s), Mr. Finisterre has failed to divulge them. The actions of DJI, as described by Mr. Finisterre, are entirely consistent with a company concerned with protecting the private data of its workers and customers.

Mr. Finisterre says he accessed "highly sensitive user data, including: identification cards and passports, flight logs, and drivers licenses." DJI must absolutely ensure that any information is destroyed and not shared nor divulged. The $30K must therefore include some form of non-disclosure agreement.

After failing to reach such an agreement, it was also appropriate for DJI to send a legal demand that all information be destroyed. Regardless of whether an agreement is reached, Mr. Finisterre is not entitled to the "highly sensitive user data" he accessed.

Based on Finisterre's comments, DJI's demands went well beyond protecting customer data, likely containing both some kind of gag order, preventing him from disclosing his findings (not private data itself, but the fact that DJI had stored it data such an insecure manner) and, from what I've read elsewhere at least, some sort of non-compete clause. It would absolutely be great to see an explanation of just what the problematic language was, but there may have already been an agreement in place protecting that.

I'm not sure where you get the impression that Finisterre ever tried to hold on to DJI's data. Rather than honor the previously agreed upon terms of their bug bounty program, DJI tried to backpedal and likely silence Finisterre. This is not how bug bounties work (usually there's a timed disclosure agreement), and is a pretty good indication DJI was more interested in keeping things quiet than actually fixing the issue. Finisterre did the right thing in going public.

A "gag order" is only issued by a judge. He was offered a non-disclosure agreement, which is a contract, in exchange for $30k. All "security researchers" working for all companies have non-disclosure agreements saying that in exchange for compensation, they will not keep, share, nor divulge any data or security vulnerabilities they find.

Based on the link, he disagreed with the clause regarding divulging DJI security vulnerabilities to the public without DJI's permission and wanted the clause deleted.

"where you get the impression that Finisterre ever tried to hold on to DJI's data"

I never said that. He admitted to accessing their data. DJI must ensure that data is destroyed, through either a non-disclosure agreement or legal demand. That is NOT accusing him of wrongdoing nor is it saying he still has the data. DJI doing what they are legally required to do, which is: protect the private data of their employees and customers.

With the failed non-disclosure offer, the legal demand was necessary. Without it, it could be construed that permission had been given for him to keep any such data (whether he has it or not) and DJI could be sued by their employees or customers for failing to take steps to protect their private data.

I've written paragraphs explaining why DJI's actions seem to be appropriate (to the best of my knowledge). You've ignored that and focused on a single sentence made to counter an accusation of forced silence (gag order) to point out he was actually offered a NDA in exchange for money.

And its not just semantics. It is an extremely important distinction when people accusing DJI of suppressing his free speech. Taking money in exchange for silence is a mutual agreement (willing), not forced silence (unwilling).

"An NDA doesn't ensure data is destroyed."

'NDA' is simply a word describing a general type of contract. Since it is simply a contract, it can contain any terms agreed to by both parties (such as a promise to destroy data). Whether you want to still call it a NDA is... semantics.

Typical arrogance of a company that has become gorilla size and weight.Personally, and as much as I can, I avoid buying anything from gorillas, such as DJI, Adobe, ..., etc.Aside from that, DJI abides by its own country's privacy regulations, which means the Chinese government has access to everything on DJI's servers.I'd never buy a DJI product, especially after this episode.

It's very simple. Western companies need to ban DJI from any contracts at all. It also sounds as if there might need to be legal action taken against them. They need to honour their public offer to reward Kevin Finisterre for finding the security flaws in their systems, mend them, and take a more respectful attitude towards the security of their customers. No wonder the US army has banned the use of their drones - the company cannot be trusted.

While both countries are deeply invested in electronic surveillance and warfare, only one of them is involved in manufacturing most of the world's electronic devices, and unfortunately, that isn't the US. That is where the concern is.

The US is also highly adept at these things, but we don't (yet) force companies to hand over all of their data (like DJI is subject to) -- Heck, we have to invent creative ways to hack iPhones because we can't make Apple divulge info to the feds!

You can bet your bottom dollar China was absolutely *DROOLING* when the US Army (like an idiot) picked up DJI drones for ops.

There are actually acquisition laws in place that bans manufacturers from using non-trusted sources (China included) for many types of weapons -- I'm surprised the Army was able to get around this (maybe it was a cheap field test or something).

As a security person, I have to agree. Finding a flaw is one thing and actually exploiting it is another, and will almost always get you in trouble. People have landed in jail for misunderstanding their scope of operation.

I seem to remember a case of someone just cutting off the end of a URL in their Web browser's address bar - not so crazy given that it is editable, after all, and people are expected to type these things in - and they ended up seeing something they shouldn't. This resulted in legal threats, maybe even prosecution.

So what about those situations? That people just find things. Search engines trawl up all sorts of accidentally-published information all the time. Indeed, I know of various cases of organisations accidentally leaving lists of personal information open to the wider Internet. No-one has "hacked" anything.

It is absurd to say that upon following a link and being presented with something that shouldn't be there (and that wasn't expected to be there), that anyone is "exploiting" anything. They have merely discovered a vulnerability and should have a reasonable way of reporting it.

Well, it would be prudent of DJI to demand of Finisterre to delete everything had obtained from DJI's servers, even if they didn't know if he had downloaded anything. Note that Finisterre claims that "he was able to get access to highly sensitive user data", not that he actually downloaded said data.

From my reading here and on Ars Technica, Finisterre never actually stored any of DJI's data locally. Yes, he "gained access" and obviously did enough poking around to verify what he'd found, but if DJI felt they had a case here (there were already, evidently, emails confirming the services in question fell under the bug bounty program), I'm sure Finisterre would be in court right about now.

DJI's demands to delete any data sound pretty standard and normal for this sort of situation. I don't see anything interesting or unusual in this part of the story.

People want drones, if DJI goes bankrupt they'll buy drones from another company who will also make them in China. This issue goes across all products where the maker has added a network connection, like home appliances (Samsung refrigerators) and many, many toys this Christmas.

I was looking at wifi mesh systems, and several of them require you to let them monitor your home network to train the machine learning that optimizes the network performance for all customers. That is an advantage, but at the cost of having your network activity analyzed from afar. If they do it right, that data is anonymized. If they do it like DJI, they keep too much information and leave it on insecure servers. I had to cross off any products that could only work if I let their router talk to their remote server.

I really don't want to sound douchy, but this is one of those moments when I am happy to say: "I told you so."

I have repeatedly criticized DJI for trying to seize control of data which they should not have any authority over, and for dictating how, when, where and even if their gear (that people paid large sums of money for) can be used. It's not a job of the manufacturer to do so, because whenever that happens, there's ALWAYS high potential for such power to be misused and mismanaged. We have proper authorities to take care of that (that's why professionals get licences in the first place). And I was bashed repeatedly for this opinion of mine. "It's for our own security", I was told, "you are just a hater that does not want drones to be regulated!!!"

So, to those people I say: I hope you feel real secure, guys. Enjoy! I assure you, this is not the last DJI-related controversy we will hear about.

@ozturert - That's what I was thinking. Over the recent US Thanksgiving holiday, I kept pointing out to family members how Google was snooping. (One example was one person searched for an app on their phone, and moments later everyone else discovered that app was the first one suggested when they started searching.)

Every time, I would point out that it would have been illegal for the police to do that, but when Google does, it is "helpful."

I can tell you right now that I am not buying anybody (including myself) any "Internet of things" Christmas presents that need you to enter personal information that gets sent to a server in China. I've read too many stories about sloppy security/privacy on all kinds of Internet-connected devices from home security cameras, connected speakers, climate controls, toys, routers, drones...

I'll hold out as long as I can, but I know some day you won't be able to buy a ____ without it being enabled and monitored from afar. I hope industry and government get serious about personal data security before that day, but even though this is ultimately a national security issue, the current government shows no signs of doing anything but moving in the opposite direction from the ideal.

We have the same attitude in Europe regarding US: do not bring any sensitive data in laptops if you work for strategic companies because Customs/NSA/whatever may decide to access them for industrial espionage (they will say "Security reasons").

If the story is as told, DJI is dumb to threaten him. Should have paid him to stay quiet and worked with him to plug the hole(s). In today's social-media-crazed age, threatening one person just means he will tweet about it or put it on Facebook, and suddenly tons of ppl will know about the incident. Dumb dumb dumb. Or is it "free publicity is good publicity"?

If DJI didn't want holes plugged, it was kind of an odd move trying to institute a bug bounty program (even if said program seems to have crashed and burned in about as spectacular a manner as these things can go).

I've actually experienced something like that for real except it was a broken lawn sprinkler which pretty much looked like a broken pipe. A neighbour mentioned it on the WhatsApp group and all hell broke loose which ended up in the authorities being called and an end to the WhatApp group.

Arrogant, yes. Struggling, not yet. As a security researcher though, I can tell you that the mistakes they made were egregious, and the way they handled it was even worse. If I were doing anything even slightly sensitive, I'd ditch DJI and just hook up a Canon piece on a drone. Both Canon and Nikon have been used in sensitive government contexts, whereas (I'd very much hope) DJI has not.

Sorry i too love a "one guy beats large firm" story but a company has product A, B and C that connect into server X and then asks people to find bugs on software A. Isnt it a bit tiny bit logic that they dont like it if somebody goes hacking into the server X? If I ask you to hit me in the stomach because ive been training my abs then i woudnt like it if you kick me in the face... They wanted a limited scope of bugfinding on one area. However DJI completely missed a great marketing opportunity here. They just should have paid and learned that inviting hackers to test their products is not a good idea. And the lone hacker should learn his boundaries first... So now everybody looses. Bit i feel not sorry for any of them involved

What if someone just stumbles across a vulnerability? This kind of thing happens, especially with Internet-facing services, and it need not be anyone doing any "hacking". The responsible thing is to disclose the information to the vulnerable party, but that isn't going to happen if they start accusing everyone of being a "hacker".

Unfortunately, the whole area of vulnerability reporting has become a circus. People apparently get offered big money for exploits by criminals and there are marketplaces for exploits in operation. Others use their discoveries to pump up their consulting businesses by "branding" the exploits they find. You can even buy the T-shirt.

If companies are serious about security then they should at least establish decent channels for handling vulnerability information. Here, the affected services may have been violating data protection laws. So, the cavalier approach to security may now have more serious legal consequences, too.

"According to a long report on the matter published by Finisterre, he spent many weeks communicating with DJI through email about the scope of its bug bounty program, which hadn't yet been publicly defined. After receiving confirmation that it included the company's servers, Finisterre went to work in writing up a report disclosing his discoveries."

And, according to his account, when Finisterre tried to actually report what he found?

"I won’t go into too much detail, but the agreement that was put in front of me by DJI in essence did not offer researchers any sort of protection. For me personally the wording put my right to work at risk, and posed a direct conflicts of interest to many things including my freedom of speech. It almost seemed like a joke. It was pretty clear the entire ‘Bug Bounty’ program was rushed based on this alone."

@chaos215bar2 from the last sentence of that quote, it's implicit that he had already identified the server vulnerabilities _before_ it was agreed that the servers were within scope of the bug bounty program. That's like negotiating to borrow someone's car, and when they agree and ask you when you want it, telling them "Oh thanks, I already took it out last week"I haven't been following the details of this story, but if that quote is accurate it doesn't sound like DJI is the only party that acted in bad faith.

Do you guys know anything about finding weaknesses? I'm sure he suspected the vulnerability immediately but there is no way to tell for sure without testing it. He could have tried "I think you may have this vulnerability" approach and they would have said "no we don't" and fixed it quietly. The only way to know for sure would be to do it for real and he did nothing malicious with the data so there was no kicking in the face metaphorically speaking. If they had acted on good terms they would have just paid the money given a standard NDA and fixed the problem. Now he really has kicked them in the face.

@JeremiahL, ross attix, the fact that he entered into weeks of negotiations around whether the scope of the but bounty program included the servers kind of ruins the argument "server X is a component of product A, and is fair game if the company asks people to find bugs in product A". The terms of the program ) obviously had enough ambiguity that he thought the question was worth asking. If before an agreement was reached he has then proceeded to access private data on the servers, then unless this was disclosed as part of the negotiation, his part in those _negotiations_ was not in good faith, even if the action itself was in good faith. You simply cannot have negotiations in good faith on an agreement unless both parties are aware the agreement is retrospective.I completely understand that no malicious hacker is going to respect that distinction, particularly given that the servers would be the low-hanging fruit in terms of both vulnerability and potential payoff.

You are largely correct but if they sell drones in the UK then their business comes under the Data Protection Act. It is likely that the regulators here will fine them a hell of a lot more than $30,000.

If what you're saying is true it explains why teenagers, criminals, and hostile foreign governments have been able to rummage through our most sensitive data without fear of detection or consequences. The idea of asking hackers to test your system, but only so far, makes no sense—unless you're a company run by idiots.Human psychology dictates that internal teams are never going to really test the system because they would be a) violating company rules even though they're technically allowed to and b) making their co-workers who built the protection look bad. Employees just won't do that, too much socialization, no matter what color of team they're on.

And I'm happy for some of it - I have silent shutter, flexible exposure bracketing, more video choice, full scriptability of my camera since I hacked it :)On the other hand, it's surprisingly simple to leave all these newfangled thingies and live without them if one truly desires it (I was kinda forced into such life for a few years and you adapt quite fast).

And many of the biggest threats to information security are internal ones, not some guy in a hoodie sipping an energy drink and typing one-handed while bathed in screen luminance in his distant subterranean lair.

So the US army was right all along. DJI is a major security risk. Finisterre is lucky he is not living in China. He would have been in solitary confinement by now. No DJI branded products for me thanks.

Latest in-depth reviews

The Nikon Z6 may not offer the incredible resolution of its sibling, the Z7, but its 24MP resolution is more than enough for most people, and the money saved can buy a lot of glass. Find out what's new and notable about the Z6 in our First Impressions Review.

The SiOnyx Aurora is a compact camera designed to shoot stills and video in color under low light conditions, so we put it to the test under the northern lights and against a Nikon D5. It may not be a replacement for a DSLR, but it can complement one well for some uses.

At its core, the Scanza is an easy-to-use multi-format film scanner. It offers a quick and easy way to scan your film negatives and slides into JPEGs, but costs a lot more than similar products without a Kodak label.

Canon's EOS R, the company's first full-frame mirrorless camera, impresses us with its image quality and color rendition. But it also comes with quirky ergonomics, uninspiring video features and a number of other shortcomings. Read our full review to see how the EOS R stacks up in today's full-frame mirrorless market.

Latest buying guides

If you're looking for a high-quality camera, you don't need to spend a ton of cash, nor do you need to buy the latest and greatest new product on the market. In our latest buying guide we've selected some cameras that while they're a bit older, still offer a lot of bang for the buck.

What's the best camera for under $500? These entry level cameras should be easy to use, offer good image quality and easily connect with a smartphone for sharing. In this buying guide we've rounded up all the current interchangeable lens cameras costing less than $500 and recommended the best.

Whether you've grown tired of what came with your DSLR, or want to start photographing different subjects, a new lens is probably in order. We've selected our favorite lenses for Sony mirrorlses cameras in several categories to make your decisions easier.

Whether you've grown tired of what came with your DSLR, or want to start photographing different subjects, a new lens is probably in order. We've selected our favorite lenses for Canon DSLRs in several categories to make your decisions easier.

For the past few weeks, our readers have been voting on their favorite photographic gear released in the past year in a wide range of categories. Now that the first round of voting is over, it's time to pick the best overall product of 2018.

Sony had the full-frame mirrorless market to itself for nearly five years, but it's no longer alone – the Nikon Z6 and Canon EOS R have both arrived priced to compete with the a7 III. We take a head to head to head look at these three cameras.

As if it needed one, the triple-camera smartphone might really be the final nail in the compact camera's coffin. DPR contributor Lars Rehm brought the LG V40 on a hiking trip recently and found it to be a huge leap forward in terms of creative freedom.

Renowned UK-based landscape photographer Nigel Danson has been using DSLRs for years. In this video, created exclusively for DPReview, Nigel discusses his experience using the Nikon Z7 and why he's excited about mirrorless cameras. (Spoiler... beautiful scenery ahead.)

Chinese optical manufacturer Kipon has added the Nikon Z and Canon R mounts to its range of adapters made to attach medium format lenses from Hasselblad, Mamiya, Pentax and others to full frame cameras.